According to court records, the brothers were members of FatWallet.com, an online coupon and shopping site that offers cash back incentives for purchases, and paid cash back rewards to the brothers for purchases on Nordstrom.com.

The brothers found a way to exploit a flaw in Nordstrom’s online ordering system, by placing orders that would ultimately be blocked by Nordstrom, with no merchandise being shipped or charges being made to their credit card. However, Nordstrom continued to compensate FatWallet for the orders, and the brothers received the cash back credit from FatWallet.

While the U.S. Attorney’s office did not provide technical details on how the brothers executed the fraud, business logic attacks like this abuse the functionality of a program, as opposed to an application or server vulnerability which is common for many attacks.